Here's my third and probably last post on a topic about AD integration and linux. This time around the goal is to have Kerberos authentication integrated with Squid, so that users do not have to be prompted for additional authentication when surfing the web.

The setup is the exact same as in the two previous articles (just with a 2008 DC instead of a 2003R2):

I'll assume that the AD domain is already configured and that the Debian box is already joined to the domain (see previous blog posts on how to do that). As a first step the squid3 package needs to be installed (unless #532064 is fixed you'll need to recompile the debian package with the options mentioned in the bug report):

apt-get install squid3

Then we need to export the correct keytab HTTP/www.win2008.corp as required for Kerberos authentication :

net ads keytab add -U Administrator HTTP

Once that is done we'll have the appropriate keys in the default keytab (/etc/krb5.keytab). With ktutil you can explore the keys in the file:

At this point a simple XP client that is joined to the Windows win2008.corp domain and that has www.win2008.corp as a proxy should be able to surf authenticated (do not forget to make sure that IE integrated authentication option is active):